Thanks in large part to advancements in digitization and Web technologies, employers now have access to more information about their employees than at any previous period in our country’s history. Since the mid-1990’s, employers have experienced increasing access to employee healthcare data. But, this proliferation of information at HR pros fingertips, introduces new challenges for organizations.
Over the last 18 years, four developments occurred that transformed employer access to employee healthcare records. Those four developments were — the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, the enforcement of its Privacy Rule in 2003, the revisions made to HIPAA in 2009’s Health Information Technology for Economic and Clinical Health (HITECH) Act, and the gradual adoption of electronic health record (EHR) systems by healthcare providers.
Yet while access to individuals’ health data increased, the U.S. Congress did invoke regulations for how this information should be managed and safeguarded.
HIPAA’s Privacy Rule created protections for “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” It defined this as protected health information (PHI). HIPAA’s Privacy Rule, as well as its Administrative Simplification provisions, enacted guidelines that both “covered entities” and their “business associates” must follow when collecting, using and disclosing an individual’s PHI, regardless of its format.
HIPAA’s Administrative Simplification standards classify health plans, healthcare clearinghouses and healthcare providers as “covered entities.” Hence, its regulations apply to any individuals or organizations that fall under the definition of a “covered entity.”
Furthermore the HITECH Act, which amended HIPAA by expanding its reach, extended HIPAA’s Privacy and Security Provisions over “covered entities” and their “business associates.” HIPAA’s Privacy Rule defines a “business associate” as “a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.”
Under the expanded regulations of HIPAA, made possible through some of the HITECH Act’s key provisions, “covered entities” and their “business associates” are confined to collecting, sharing and using only certain types of PHI.
You might ask yourself, where does this leave an employer who cannot be classified as either a “covered entity” or “business associate”?
Although most employers do not fall under the category of being a “covered entity”, in most cases they are still impacted by HIPAA’s regulations around how “covered entities” should be handling PHI. For instance, HIPAA’s Privacy Rule does not directly regulate these employers in their role as plan sponsors. But, the company group health plans that these employers sponsor do fall under HIPAA’s definition of a “covered entity.” Thus, HIPAA does regulate the group health plans that are sponsored by these employers. HIPAA defines health plans as “an individual or group plan that provides, or pays the cost of, medical care.”
As a consequence, the majority of employers who provide health care benefits are affected by HIPAA’s Privacy Rule to varying degrees.
And other areas of HIPAA, like its Security Rule, which focuses exclusively on PHI that is stored or transmitted electronically, also regulates certain types of employers. It applies to employers who sponsor self-insured group health, dental and/or vision plans with 50 or more participants, or that are administered by a third party. In addition, the Security Rule applies to healthcare reimbursement flexible spending accounts and employee assistance programs. The U.S. Department of Health and Human Services (HHS) defines the Security Rule’s primary objective as being to “protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.”
Given HIPAA’s wide-reaching influence, most employers need to be doing more to make sure that their HR workforce is knowledgeable about HIPAA regulations. With the exception of cases involving “covered entities”, or “business associates” working in healthcare, most employers do not provide adequate amounts of HIPAA training to their HR employees. Employers need to invest in resources and comprehensive training that will enable their HR staff to properly identify, handle and protect PHI.
The HHS published data in 2010 that showed a glaring need exists for employers to provide this type of training to their HR staff. The HHS’s Annual Report to Congress on Breaches of Unsecured Protected Health Information revealed the most common causes of large breaches in 2010. The report provided the following data on general causes of breaches of unsecured PHI during that year:
- Theft was the most common reported cause of large breaches.
- Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or electronic media, together affecting approximately 2,979,121 individuals.
- Loss of electronic media or paper records affected approximately 1,156,847 individuals.
- Unauthorized access to, or uses or disclosures of, PHI affected approximately 1,006,393 individuals.
- Human or technological errors, or other failures to take adequate care of PHI, affected approximately 78,663 individuals.
- Improper disposal of paper affected approximately 70,279 individuals.
Aside from offering HIPAA training to their HR teams, organizations also need to establish clear policies that detail the responsibilities and processes for reporting a potential PHI breach. Their policies should also summarize how, if necessary, corrective action will be taken by the presiding powers. Plus, every policy needs to define the different levels of a PHI breach, and the corresponding corrective action that needs to be taken at each level.
In addition, every HR pro should become familiar with HIPAA’s provisions for working with “business associates.” It is incumbent upon HR managers to make sure that their staff understand what is required of them, and any “business associates” that they are working with, when analyzing, processing and disposing PHI.
Likewise, HR departments that choose to partner with a background screening company, who can be defined under HIPAA as a “business associate”, should be especially selective. It is critical to choose a background screening company that is well-versed on the HIPAA regulations that they need to abide by in their role as a “business associate.”
Rapid advancements in technology, along with two decades of game-changing legislation, have significantly altered employers’ access to, and responsibilities around, employee health information. Every employer needs to understand what is required of them. Moreover, they need to make sure that their HR teams are equipped with the right knowledge and tools to handle this information in the correct fashion.